According to the Health Information Trust Alliance's (HITRUST) analysis
of U.S. healthcare data breaches from 2009 to the present, the
healthcare industry has made little progress in reducing the number of
breaches with troubling statistics seen from the same types of
organizations, breaches and locations. The retrospective analysis of
breaches affecting 500 or more individuals indicates a slight decline in
the total number of breaches during the past three years, but overall
the industry's susceptibility to certain types of breaches has been
largely unchanged since breach data became available from the U.S.
Department of Health and Human Services (HHS) and the new HIPAA and
HITECH Act regulations went into effect.

HITRUST periodically analyzes the breach data from HHS and other sources
and makes it freely available to the industry to inform organizations of
trends and continuing security and privacy risks, and to direct
modifications to HITRUST programs and requirements.

"By conducting and publicizing this analysis, we believe that over time
we can facilitate a fundamental shift in the healthcare industry toward
achieving a state of security and privacy that is on par with other
leading industries," said Daniel Nutkis, chief executive officer,
HITRUST. "While the data itself is not terribly surprising, it does
serve as a critical reminder of the education and improvement that still
needs to occur across the industry, regardless of organization type and
size. I believe this is why HITRUST continues to see increasing adoption
numbers for the HITRUST Common Security Framework (CSF) and
participation in the CSF Assurance Program, especially from
organizations that have made the commitment to train their security and
privacy professionals so that they have the necessary knowledge and
skills."

A close look at the HHS data reveals that since 2009 the industry has
experienced 495 breaches involving 21 million records at an estimated
cost of $4 billion. With the annual number of total breaches remaining
fairly consistent, hospitals and health systems is one of the few groups
that can claim some improvements in protecting health information with
the largest decline in reported breaches. This group experienced a
decline of 71 percent from 2010 to 2011 in the number of breaches, and
for the first two quarters of 2012 has only experienced 14 breaches
(compared with a total of 48 for 2011). Health plans have also seen a
steady decline in breaches since 2009 and have not had to post since the
first quarter of 2012.

"We are seeing healthcare providers adopting the HITRUST CSF at a
greater rate than other segments, which could be attributed to
escalating pressures faced by this industry segment relating to the
protection of health information," said Nutkis. "This group is also
leveraging guidance from the CSF Assurance Program that focuses on the
high risks for healthcare such as unencrypted devices in support of
their meaningful use attestations."

In addition, HITRUST believes that Stage 1 meaningful use may have
incentivized and/or raised awareness for the need for security,
particularly in the most likely areas of laptops, desktops and mobile
media. However, the data indicates that physician practices, which
should be similarly motivated by meaningful use incentives, have
continued to demonstrate a lack of progress. This is especially true of
saller physician practices where those with one-to-100 employees
account for over 60 percent of the breaches reported in the segment. The
analysis indicates that organizations such as these likely lack the
awareness and resources in order to adequately recognize the issues and
take actions to preempt future breaches. As the interconnectivity of
organizations increases through community health records and health
information exchanges, small practices may pose a new and significant
risk to larger entities that have begun to get a handle on security and
privacy.

HITRUST believes that in order for there to be a significant decline in
the total number of breaches, the industry must find a way to reach
physician practices and provide them with simple cost-effective
solutions to their biggest challenges. A step in the right direction
would be to provide these smaller organizations - and the industry as a
whole - with education tailored to security in healthcare in conjunction
with more automated and sophisticated methods to identify and correct
risks. This enables small organizations to more easily acquire the
necessary skills supplemented by technology so they too can be
successful. The HITRUST report provides recommendations for physician
practices needing to proactively address their security initiatives.

Surprisingly, reported hacking and malware infections remain low,
accounting for a total of eight percent of the breaches. "Data we
receive from other sources strongly indicates that U.S. healthcare
organizations of all types are experiencing data loss due to viruses,
attacks by cyber criminals, password sharing by clinicians, and the
prevalence of vulnerabilities in electronic health record (EHR)
technologies that are not communicated," said Nutkis.

HITRUST recently launched the Cyber Threat Analysis Service (CTAS) in
partnership with iSIGHT Partners to identify and analyze cyber threats
to the U.S. healthcare industry. The CTAS has published more than a
half-dozen reports of healthcare data being exploited in underground
message boards by cybercriminals from the U.S., Russia and China that
cannot be linked back to the reported breaches from HHS. In addition,
the service has found that malware is present on approximately 30
percent of endpoint devices in smaller healthcare organizations.

A November 2012 report from the CTAS highlights this new dynamic in the
cause for breaches with the observation that a database containing
personally identifiable information (PII) and protected health
information (PHI) was advertised for purchase on a prominent cybercrime
forum.

HITRUST's own assessment data suggests many breaches may go unreported
or undiscovered. Nutkis continued, "because of the gap between the
breach data and other sources, we believe the breaches being reported
are not all inclusive. While we do not have a sense of the exact
magnitude, given the cyber threats that healthcare and other industries
face, we believe it must continue to be taken seriously."

The HITRUST analysis also identified other areas of concern for the
industry:

Even in this electronic age, breaches of paper records remain
significant among the leading segments (providers, payers, government)
with errors in mailing and disposal of records playing a substantial
role in some of the highest profile paper-based breaches. Since 2009,
paper records comprise 24 percent of healthcare breaches, second only
to laptops.

Business associates continue to account for a significant number of
breaches (21 percent) and are implicated in a majority of the records
breached to-date (58 percent). This continues to be a problem across
all organization types, with physician practices struggling the most.

The average time to notify individuals and HHS following a breach is
68 days, with over 50 percent of organizations failing to notify
within the 60 day deadline set by HITECH.

The results of HITRUST's analysis of breach data are influencing updates
to the 2013 version of the HITRUST CSF - available in January 2013 - and
modifications to the CSF Assurance Program. The program is being updated
to align with Stage 1 and 2 meaningful use requirements, and provide
adequate coverage for high risks, including endpoint security, third
party assurance, and continued requirements for secure disposal. HITRUST
is developing and will be releasing detailed illustrative procedures
alongside the 2013 updates to provide standardized, industry-approved
audit and assessment guidance to HITRUST CSF Assessors, covered entities
and business associates.

The HITRUST report - "A Look Back: U.S. Healthcare Data Breach Trends" -
is publically available for download at HITRUSTalliance.net/breachreport
along with an infographic of the analysis. The report includes in-depth
analysis of the breach data and provides recommendations for addressing
issues relating to security for endpoint devices, mobile media, paper
records, business associates and physician practices.

About HITRUST

The Health Information Trust Alliance (HITRUST) was born out of the
belief that information security should be a core pillar of, rather than
an obstacle to, the broad adoption of health information systems and
exchanges. HITRUST, in collaboration with healthcare, business,
technology and information security leaders, has established the Common
Security Framework (CSF), a certifiable framework that can be used by
any and all organizations that create, access, store or exchange
personal health and financial information. Beyond the establishment of
the CSF, HITRUST is also driving the adoption of and widespread
confidence in the framework and sound risk management practices through
awareness, education, advocacy and other outreach activities. For more
information, visit HITRUSTalliance.net.

All product and company names herein may be trademarks of their
respective owners.